2db73d977a57e046361ee6faa57a14005f8393c62d1ddefa7d424dfff9773cf1

General

Target

2db73d977a57e046361ee6faa57a14005f8393c62d1ddefa7d424dfff9773cf1.xls
Size

390KB
MD5

13b206b3e79a9d04ff497d128c01df53
SHA1

2e17982b433c9e32f25a5fec1707e573563c594f
SHA256

2db73d977a57e046361ee6faa57a14005f8393c62d1ddefa7d424dfff9773cf1
SHA512

5af0ed9d1dc21e373a269377fb98e693aab1cc88e5528148e91f885195ada6289a1c3cbad965fb52da6c4b7955ac5770017f8e5a156960de971d28ebe172fcb8
SSDEEP

6144:Nn1m9kdb/Gt8b++UXaVXKv6FW2LN6rKTbLfqmYJEgTy:NOeLlS5aVXKv6FhzbLfv2EgTy

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1396 EXCEL.EXE
4976 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WINWORD.EXE

description pid process

Token: SeAuditPrivilege 4976 WINWORD.EXE

description	pid	process
Token: SeAuditPrivilege	4976	WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
1396	EXCEL.EXE
1396	EXCEL.EXE
1396	EXCEL.EXE
1396	EXCEL.EXE
1396	EXCEL.EXE
1396	EXCEL.EXE
1396	EXCEL.EXE
1396	EXCEL.EXE
1396	EXCEL.EXE
1396	EXCEL.EXE
1396	EXCEL.EXE
1396	EXCEL.EXE
4976	WINWORD.EXE
4976	WINWORD.EXE
4976	WINWORD.EXE
4976	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4976 wrote to memory of 1892	4976	WINWORD.EXE	splwow64.exe
PID 4976 wrote to memory of 1892	4976	WINWORD.EXE	splwow64.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2db73d977a57e046361ee6faa57a14005f8393c62d1ddefa7d424dfff9773cf1.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4976

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
3ac24270f8f096f6e943600737a5d387

SHA1
c7700e1e0b01fb39c39a082d5a09efded11a0921

SHA256
f786f1a9c5dbf830c36a6892bcddea4b6fe4af9c593ca2ac9ee5734451be6fee

SHA512
86d6d80d4803b16b7a0993515ee211c4567e899ad4bb14f3c4e97deae4bd614e47cc406c081ba02a76e9f3d9e1d1e1bd39ebde91a63bbbfd55384f0bbc4a3dbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
b132521bb683fed118854df6e614762e

SHA1
eb41efcf255f7aea443a9070822a25b7f65c118e

SHA256
23682cded75f94b6878b2478fa1a3987dcc2a2035f114ea681e6763e71bbab13

SHA512
7813d4997dc20c3df532f29c12fdc411378b8a92e634b1f31f4c277ea26ac231dc5540fe850d2582576c3b39a1b470a3022c11c46cf825cc6c9804b873339658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1238707F-9242-4D6D-ADE8-61C5CF2C4351

Filesize
157KB

MD5
df177bc8609f6c738299aadb4a6cd090

SHA1
6725ed58f4ba2a521cdb47306cb5d060b563178a

SHA256
f3f34c1f34220b3cdadc7996c4565360ca89c69bfc7d77c5bdf9c26e27c3f2f0

SHA512
ffb4e11f154128e867ac37b9db3477e8f6f19c5087c97aff75ba510d15840837a3cc45c1a6cee1b8ac8a7cd160727b14f6a69426b833f3b40cab63408bcfd71e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
524b0de2947a87ae5c821bed745efe2c

SHA1
86147bbc95f0bbbc236ef59b3f813bc9335c26a8

SHA256
d519deee6b1ee1c9a7467e2e31343fa1ffeb00ecb173b08bd9fa22cdeed25aed

SHA512
283deba0ca978f9f8b3a6584342b4f60e57b2ad8f624b8b3ad95b6fd000c5dece5aeff8e5a81c69442487e5bddd9d18b3d778f2efa40727794765883b27d7bd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres

Filesize
4KB

MD5
5abcb7fb9a89f0eb80b1a285913e5692

SHA1
14d050da8538013f94667ed98e087ca1be0bffe3

SHA256
16fefff9fc6a99db712339f7c06b4f857d98beec8cef30ab333392239f0cb3de

SHA512
f677fa870edc7d9651ee0b024cae538ab7c8c0fedd366a9ba8f6d2c0d67b8b08280cb09d007bd750f1db20a89179666ad1d8034377ca990b637177673fba0552

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z29MWU1J\microsofdecidedtodeleteentirehistorycookiecachefrommypc[1].doc

Filesize
50KB

MD5
5451b82c9d7e98c077b8dc1f667f5b19

SHA1
5788704528823c1988964a8af9c2056dd42f787b

SHA256
1e4cba11fed2e6d17ef029301ae806af502cf79109dd9e70ec220d2d4b497a75

SHA512
5e5d5ee9eeaccf07cd2d4662fc1ede32231c04f27bbb66ece835b4c3c5fa18a022a636f6d290ebe613453c6388f53b17ce319b6757288148257c85ad161daeed

Download Submit
memory/1396-18-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1396-5-0x00007FFE9E630000-0x00007FFE9E640000-memory.dmp

Filesize
64KB

Download
memory/1396-8-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1396-9-0x00007FFE9BD00000-0x00007FFE9BD10000-memory.dmp

Filesize
64KB

Download
memory/1396-10-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1396-11-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1396-12-0x00007FFE9BD00000-0x00007FFE9BD10000-memory.dmp

Filesize
64KB

Download
memory/1396-13-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1396-14-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1396-15-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1396-16-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1396-17-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1396-0-0x00007FFE9E630000-0x00007FFE9E640000-memory.dmp

Filesize
64KB

Download
memory/1396-19-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1396-20-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1396-69-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1396-68-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1396-2-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1396-1-0x00007FFE9E630000-0x00007FFE9E640000-memory.dmp

Filesize
64KB

Download
memory/1396-3-0x00007FFE9E630000-0x00007FFE9E640000-memory.dmp

Filesize
64KB

Download
memory/1396-4-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1396-7-0x00007FFE9E630000-0x00007FFE9E640000-memory.dmp

Filesize
64KB

Download
memory/1396-6-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/4976-43-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/4976-42-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/4976-40-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/4976-39-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/4976-38-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/4976-37-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/4976-36-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/4976-34-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/4976-32-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download
memory/4976-70-0x00007FFEDE5B0000-0x00007FFEDE7A5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads